azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md
Howard Enos 2919b3dec6 sync: auto-sync from HOWARD-HOME at 2026-05-16 13:49:46 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-16 13:49:46
2026-05-16 13:49:48 -07:00

200 lines
16 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Caregiver M365 + Entra P2 Rollout Plan (Cascades of Tucson)
**Status:** Documentation only — do NOT create accounts or assign licenses yet.
**Created:** 2026-04-18 (Howard)
**Source:** `C:\Users\howar\OneDrive\Documents\Caregiver Scheduled shifts and phone #.xlsx` (as of 2026-04-17)
## Goal / why this matters
Cascades is deploying 25 shared Android phones plus 9 kitchen iPads to get caregivers off shared workstations and into their own authenticated sessions (ALIS EHR, Outlook, Edge). For that to actually improve HIPAA posture, every caregiver needs:
1. Their own identity (AD user + M365 mailbox) so actions are attributable per-person rather than to a shared "Caregiver" login
2. **Entra P2** so we can apply Conditional Access policies that restrict mobile email + ALIS access to:
- Managed (Intune-enrolled) shared phones, AND
- The Cascades physical network / trusted location (IP ranges or named location)
3. Policy block on personal-device access to Exchange + ALIS (HIPAA §164.312 access control)
Today none of these caregivers exist in AD or M365 — they use shared workstation logins and don't have email at all. That is the gap this rollout closes.
**Also noted (explicit call-out to add to the proposal):** we did not previously frame the Business Premium proposal as "we're adding phones AND licenses to reach HIPAA compliance." The proposal currently lists 23 licensed users post-cleanup; with caregivers included it is closer to 62. The cost delta + HIPAA rationale should be surfaced in `docs/proposals/m365-premium-upgrade.md` before re-presenting to Meredith.
## Caregiver roster (39 people)
Location codes: **Tower** = assisted living tower, **MC** = Memory Care.
Role flags: **CCG** = certified caregiver, **MedTech / MED TECH** = medication tech, **PRN** = as-needed/float, **NOC** = overnight.
### TuesdaySaturday (14)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 1 | Thelma Abainza | thelma.abainza@ | AM | Tower | Caregiver | 520-867-2579 |
| 2 | Niel Castro | niel.castro@ | AM | Tower | MedTech / CCG | 520-697-4644 |
| 3 | Espe Esperance | espe.esperance@ | PM | Tower | MedTech | 520-788-9558 |
| 4 | Barbara Johnson | barbara.johnson@ | PM | Tower | Caregiver | 520-204-3449 |
| 5 | Kasey Flores | kasey.flores@ | AM | MC | Caregiver | 520-250-1451 |
| 6 | Richard Flores | richard.flores@ | AM | MC | Caregiver | 520-873-7727 |
| 7 | Marie Kastner | marie.kastner@ | PM | MC | Caregiver | 714-576-9858 |
| 8 | Bella Mendoza | bella.mendoza@ | PM | MC | Caregiver | 520-358-2000 |
| 9 | Rosa Morales | rosa.morales@ | PM | MC | MedTech | 312-213-8780 |
| 10 | Sandra Padilla | sandra.padilla@ | AM | Tower | MedTech / CCG | 520-585-3317 |
| 11 | ~~Polett Pinazavala~~ *(departed 2026-04-22)* | — | — | — | — | — |
| 12 | Whisper Reed | whisper.reed@ | Overnight | Tower | MedTech | 520-312-7575 |
| 13 | Patricia Sandoval-Beck | patricia.sandoval-beck@ | AM | Tower | MedTech | 520-343-8093 |
| 14 | Charity Sika | charity.sika@ | AM | MC | Caregiver | 623-251-8032 |
| 15 | Ederick Yuzon | ederick.yuzon@ | PM | Tower | Caregiver | 520-603-8816 |
### SundayThursday (10)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 16 | Juan Andrade | juan.andrade@ | PM | MC | Caregiver | 520-528-4078 |
| 17 | Jahmeka Clarke | jahmeka.clarke@ | PM | MC | MedTech | 520-649-7034 |
| 18 | Karina Aziakpo | karina.aziakpo@ | Overnight | MC | MedTech / CCG | 520-392-6859 |
| 19 | Jinnelle Dittbenner | jinnelle.dittbenner@ | PM | Tower | Caregiver | 520-499-9996 |
| 20 | Christine Nyanzunda | christine.nyanzunda@ | AM (Sun/Mon only) | MC | MedTech | 520-304-4251 |
| 21 | Agnes McFerren | agnes.mcferren@ | AM | Tower | Caregiver | 520-406-3063 |
| 22 | Samuel Ramirez | samuel.ramirez@ | PM | Tower | Caregiver | 520-488-5798 |
| 23 | Erica Sanchez | erica.sanchez@ | AM | MC | Caregiver | 520-528-3387 |
| 24 | Katrina Wyzykowski | katrina.wyzykowski@ | AM | MC | MedTech | 520-347-1448 |
| 25 | Corey Tate | corey.tate@ | NOC | Tower | Caregiver only (no MedTech) | 520-535-7821 |
### FridayMonday / weekend (5)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 26 | Ashli Atwood | ashli.atwood@ | Overnight | MC | MedTech / CCG | 715-200-1295 |
| 27 | Cole Johnson | cole.johnson@ | PM | Tower | MedTech | 818-970-0890 |
| 28 | Roseline Cooper | roseline.cooper@ | Overnight | MC | Caregiver | 520-278-6817 |
| 29 | Monique Lopez | monique.lopez@ | Doubles (Fri & Sat) | Tower | Caregiver | 520-596-0969 |
| 30 | Gloria Williford | gloria.williford@ | Doubles (Fri & Sat 5:45a10p) | MC | MedTech | 928-551-1682 |
### ThursdayMonday (3)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 31 | Sarah Carroll | sarah.carroll@ | PM | Tower | Caregiver | 520-409-2341 |
| 32 | Luke Hogan | luke.hogan@ | AM | Tower | Caregiver | 520-312-0141 |
| 33 | Gina Williams | gina.williams@ | AM | Tower | Caregiver | 520-612-5075 |
### Split / other patterns (3)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 34 | Jen Higdon | jen.higdon@ | Mon/Wed/Fri AM | Tower | Caregiver | 520-730-3548 |
| 35 | Mary Kariuki | mary.kariuki@ | SatMon + Wed PM | Tower | Caregiver | 520-309-1247 |
| 36 | CeCe Lassey | cece.lassey@ | Sun/Mon doubles + Tue PM | Tower | Caregiver | 520-248-5982 |
### Sunday & Monday only (1)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 37 | Paty Doran | paty.doran@ | AM | Tower | MedTech / CCG | 520-591-7368 |
### PRN / float (2)
| # | Name | Proposed UPN | Shift | Location | Role | Phone |
|---|------|--------------|-------|----------|------|-------|
| 38 | Ezekiel Huerta | ezekiel.huerta@ | PRN | Tower | Caregiver | 520-591-6113 |
| 39 | Maia Baker | maia.baker@ | PRN | MC | MedTech | TBD — not on shift list, only on Sheet2 |
All UPNs above use the `@cascadestucson.com` suffix (standard).
## Conflict / verify before creating
- **Christine Nyanzunda** — **Resolved 2026-04-22:** one person, one account. Existing `christine.nyanzunda@` mailbox covers both MC Admin role and her part-time Sun/Mon MedTech shifts. Do not create a second account.
- **SYNC WATCH-POINT (added 2026-05-14):** Verified this date — she has a cloud-only M365 account `christine.nyanzunda@cascadestucson.com` (`onPremisesSyncEnabled: null`, created 2023-10-26) and an existing AD account `Christine.Nyanzunda` that lives in a *departmental* OU (not `OU=Caregivers`). When caregiver AD accounts are created in `OU=Caregivers`, **do NOT create a `christine.nyanzunda` object there** — a duplicate inside the synced OU would soft-match/collide with her existing cloud account once Entra Connect staging is exited. Her existing account stays untouched by the `OU=Caregivers`-only caregiver sync. Deciding whether/how to move or sync her belongs to the office-staff (Phase 2) migration, NOT the caregiver phone rollout.
- **Paty Doran** — **Resolved 2026-04-22:** legal name `Patricia Camarena Doran`. Account will be `patricia.doran@`.
- **Polett Pinazavala** — **Resolved 2026-04-22 (John's reply): departed.** Remove from roster. No AD/M365 account exists so no disable needed.
- **Patricia Sandoval-Beck** — **Resolved 2026-04-22 (CSV inline note from Meredith):** hyphen is correct. SamAccountName may still need to be `Patricia.SandovalBeck` if ALIS/MDM reject hyphens — test during Wave 3.
- **Espe Esperance** — **Resolved 2026-05-15:** one person. Legal name Niyonsaba Esperance (Niyonsaba = first, Esperance = last); goes by Espe at work. Account is `e.esperance@cascadestucson.com`, display name "Espe Esperance". She IS already in ALIS as "Niyonsaba Esperance" — Meredith must UPDATE that record's email field to `e.esperance@cascadestucson.com`, not add a new record.
- **Ederick Yuzon** — **Still pending:** spelling asked in 2026-04-22 email.
- **Maia Baker** — **Resolved 2026-04-22 (CSV inline note):** part-time, still employed.
- **Reliable Agency caregivers** — **Final decision 2026-04-22 (post-HIPAA review): NO shared logins.** Originally planned `reliable1@` / `reliable2@`; dropped because shared log-on IDs for PHI access violate 45 CFR §164.312(a)(2)(i) (Required spec, no compensating-control exception). Per-person accounts only, created when Reliable Agency supplies individual names. Rationale in `docs/security/hipaa-review-2026-04-22.md`.
## Licensing plan (when ready — NOT now)
**Current licensing (per `docs/cloud/m365.md`):**
- Business Standard: 34 purchased, all assigned (need to free via shared-mailbox conversion first)
- Entra P2: 1 unassigned (was Sandra Fish)
**Target for caregiver rollout:**
| License | Who gets it | Qty | Rationale |
|---|---|---|---|
| M365 Business Premium (replaces Standard) | All 23 existing licensed staff + 38 net-new caregivers (Christine Nyanzunda already counted as existing staff) | **61** | Includes Intune Shared Device Mode + Defender + DLP + the P2-equivalent Conditional Access features — this is the SKU the proposal already describes |
| Entra ID P2 (standalone, IF we stay on Business Standard instead) | Same 61 | 61 | Only needed if we do NOT upgrade to Business Premium. Premium already bundles the CA features we need; avoid double-paying |
**Recommended:** upgrade everyone to Business Premium, **don't** buy standalone P2. P2 is only listed here as the fallback if budget forces staying on Standard.
### Quick cost math (order-of-magnitude, double-check in proposal)
| Scenario | Licenses | Rate (monthly) | Monthly total |
|---|---|---|---|
| Today (actual) | 34 × Standard | $12.50 | $425 |
| After shared-mailbox cleanup (no caregivers) | 23 × Premium | $22.00 | $506 |
| After caregiver rollout (this doc) | 61 × Premium | $22.00 | **$1,342** |
| Delta vs today | +$917/mo | | — |
That is a meaningful jump and needs to be in the proposal conversation with Meredith explicitly — it was missing from the 2026-04-14 version.
## Conditional Access policy plan (rough)
When licenses are in place and accounts exist:
1. **Named Location** in Entra = Cascades public IP(s) from pfSense WAN + VPN exit IP. Name it `CascadesTrustedLocation`.
2. **Compliant Device** definition in Intune = corporate-enrolled Android (the 25 shared phones) + corporate-enrolled iPad (the 9 kitchen iPads) + domain-joined Windows PCs.
3. **CA Policy: Caregivers — Mobile Email / ALIS access**
- Assignment: Entra group `SG-Caregivers` (populated from AD group once accounts exist)
- Cloud apps: Exchange Online, `ALIS` (once registered as Entra app), Outlook Mobile
- Conditions: Device Platforms = Android, iOS; Locations = Any
- Grant: Require compliant device **AND** require location `CascadesTrustedLocation` (combined grant, both required)
- Block everything else (personal phones off-network → blocked)
4. **CA Policy: Caregivers — Web/browser block off-network**
- Same group + cloud apps
- Platforms: browser (desktop)
- Conditions: not in `CascadesTrustedLocation`
- Grant: Block
5. **Exclusion group** `SG-CA-BreakGlass` for Meredith + sysadmin so we can't lock ourselves out.
CA policies should be deployed in **Report-only** mode for at least 7 days, reviewed against Sign-in logs, then switched to On.
## AD placement (when accounts are created)
**All caregiver accounts go in `OU=Caregivers,OU=Departments,DC=cascades,DC=local`** — this is the OU in the Entra Connect sync scope (confirmed 2026-05-14). Do NOT place caregivers in `OU=Care-Assisted Living` / `OU=Care-Memorycare` — those hold office/clinical staff and are NOT in the sync scope; putting caregivers there means they either don't sync or you'd have to widen scope and drag office staff in. If Tower vs MC organization is wanted, use sub-OUs *under* `OU=Caregivers` (e.g. `OU=Tower,OU=Caregivers`) — the sync scope includes everything beneath `OU=Caregivers`.
**Two separate, deliberate steps per caregiver:**
1. Create the account in `OU=Caregivers` — controls whether it syncs to the cloud.
2. Add the account to `SG-Caregivers` — controls whether the Conditional Access policies apply. This is a deliberate decision asked at creation time; an OU->group auto-mirror was considered and explicitly declined 2026-05-14.
- MedTech-flagged staff → also deliberately add to `SG-MedTech` (controls ALIS licensing tier) once that group exists.
- CCG-flagged staff → also deliberately add to `SG-CCG` (higher-privilege ALIS rights, if any) once that group exists.
Group-policy impact: the `CSC - Folder Redirection (LE)` work done for Life Enrichment does NOT apply here. Care-Assisted Living GPO pattern needs to be cloned from the finalized LE GPO once that's proven on Susan Hicks' machine (DESKTOP-ROK7VNM).
## Open items / decisions needed from client
- [x] ~~Confirm Christine Nyanzunda is one person, not two~~ (resolved 2026-04-22 — one person, one account)
- [x] ~~HR spelling confirmation on Paty Doran, Polett Pinazavala, Patricia Sandoval-Beck, Maia Baker~~ (all resolved 2026-04-22)
- [x] ~~Espe Esperance identity~~ (resolved 2026-05-16 — one person, legal name Niyonsaba Esperance, goes by Espe; account e.esperance@cascadestucson.com)
- [x] ~~Create 37 caregiver AD accounts in OU=Caregivers~~ (done 2026-05-16 — 37 created, 0 failed; temp password Cascades2026!)
- [x] ~~Add all caregivers to SG-Caregivers~~ (done 2026-05-16 — 37 added, 0 failed)
- [ ] **Ederick Yuzon first-name spelling** — asked in 2026-04-22 email, still outstanding (created as Ederick from ALIS)
- [ ] **Christine Nyanzunda — Phase 2 handling (added 2026-05-14):** exclude her from caregiver AD account creation (she already has accounts). Her existing cloud-only M365 account must be moved/synced as part of the office-staff migration, not the caregiver rollout. See the SYNC WATCH-POINT under "Conflict / verify before creating" above.
- [x] ~~Reliable Agency shared-login short usernames~~ (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins, per-person only)
- [ ] **Reliable Agency contract review** — confirm staffing contract says caregivers work under Cascades direct clinical control (workforce) vs. agency-supervised (BA). Get individual caregiver names before any PHI access.
- [ ] **ALIS staff records (Meredith):** UPDATE Espe Esperance record email to e.esperance@cascadestucson.com; ADD records for Kasey Flores (k.flores@), Jahmeka Clarke (j.clarke@), Gloria Williford (g.williford@)
- [ ] **ALIS Email = Entra UPN for all caregivers** — set after accounts appear in M365 post-sync; required for ALIS SSO
- [ ] **M365 licensing** — 38 net-new Business Premium licenses needed; Meredith purchase decision; up-front vs. waves?
- [ ] **ALIS BAA (Medtelligent)** — Meredith to verify signed copy exists; if not, request from Medtelligent support
- [ ] **Reliable Agency per-person accounts** — waiting on individual names; cannot create until received
- [ ] Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy
- [ ] Timeline expectations — tying this to the phone deployment and Business Premium purchase
## Related docs
- Proposal: `docs/proposals/m365-premium-upgrade.md` — currently sized for 23 users; needs updating
- MDM plan: `docs/security/mdm.md` — 25 phones + 9 iPads, ManageEngine; Intune Shared Device Mode is flagged as future
- M365 current state: `docs/cloud/m365.md`
- AD roster: `docs/servers/active-directory.md`
- HIPAA program: `docs/security/hipaa.md`
Reference in New Issue View Git Blame Copy Permalink